Offline JWT Validation with Go

oktadev-blog · January 4, 2021, 11:54pm

How to validate a JSON Web Token with Go

oktadev-blog · January 6, 2021, 11:59am

Florian von Bock

Hi Phillip!

There is a high severity bug in jwt-go (CVE assigned: https://nvd.nist.gov/vuln/d… )

It is discussed on the ticket here: https://github.com/dgrijalv…

As the original author/maintainer seems to not be active on the project a couple of fork/fixes have been made. See the ticket for those and/or alternative JWT implementations.

Cheers

oktadev-blog · April 12, 2021, 9:54pm

Joël Franusic

Hi Florian,

Thanks for bringing this up. I haven’t yet tested this, but I believe that Phillip’s example would address this particular CVE since he manually verifies the “aud” claim:

else if token.Claims.(jwt.MapClaims)[“aud”] != “api://default” { errorMessage = “Invalid aud” }

I’m going to look into testing this to be sure, of course. However, at first glance, it seems like Phillip’s code is okay in regards to this specific CVE.